from the a-little-transparency-please dept

The wonderful Freedom of the Press Foundation is now suing the US Justice Department for refusing to reveal its rules and procedures for spying on journalists. You can read the complaint here. The key issue: what rules and oversight exist for the DOJ when it comes to spying on journalists. As you may recall, a few years ago, it came out that the DOJ had been using some fairly sneaky tricks to spy on journalists, including falsely telling a court that reporter James Rosen was a "co-conspirator" in order to get access to his emails and phone records. In response to a lot of criticism, the DOJ agreed to "revise" its rules for when it snoops on journalists.

There is no change to how the F.B.I. may obtain reporters’ calling records via “national security letters,” which are exempt from the regular guidelines. A Justice spokesman said the device is 'subject to an extensive oversight regime.'

Extensive oversight regime, eh? The Freedom of the Press Foundation sought to find out just what kind of extensive oversight there really was -- and came up against a brick wall in the form of black redaction ink:

That's from the DOJ's Inspector General report, concerning a situation where the FBI had used an NSL to access a journalist's communications inappropriately. As the Freedom of the Press Foundation notes, elsewhere in that same report, it appears that the FBI is actually ignoring recommendations of the Inspector General concerning these situations, despite the "First Amendment interests implicated."

As the Foundation notes, the redactions here make the details entirely opaque, and the Inspector General's Office has made it clear that it disagreed with the redactions, saying that revealing the information behind that black ink "is important to the public's understanding of the FBI's compliance with NSL requirements." Given that the Foundation is now suing to find out those details. The lawsuit specifically requests that the DOJ reveal those documents in their entirety, which includes the "extensive regime, rules, guidelines, or infrastructure that oversees the
issuance of NSLs or exigent letters to obtain records regarding a member
of the media" as well as "the current procedures that FBI agents must undertake in advance of
issuing a NSL or exigent letter to obtain records regarding any member of
the media."

I'm going to go out on a limb here and say that the DOJ will reply, hysterically, that revealing this kind of information will put national security at risk and could reveal important law enforcement gathering techniques that will aid those out to harm us or some such crap. Perhaps they'll even toss in a request to dump the entire case for reasons of "national security." Just recognize that this is all busllshit. The request here is not for any details that are going to help any criminals get away with anything. All it is asking for is what process the FBI uses to make sure that it's not violating the First Amendment in spying on journalists. If that's something that needs to be kept secret, there can be only one reason: because the FBI is embarrassed by what it's doing in spying on journalists.

from the with-friends-like-these dept

With all the revelations that have come out about the NSA and our foreign and domestic spy programs, it can, at times, become difficult to parse out exactly what we're supposed to be getting pissed off about and what is the exact kind of spy-work we ought to expect the alphabet agencies to conduct. Some of the groups that are involved in getting these revelations out there don't make it much easier, of course. Take as an example the latest Wikileaks info-dump, which chiefly concerns the NSA's spy program against our ally Japan. From the press release accompanying the documents:

Today, Friday 31 July 2015, 9am CEST, WikiLeaks publishes "Target Tokyo", 35 Top Secret NSA targets in Japan including the Japanese cabinet and Japanese companies such as Mitsubishi, together with intercepts relating to US-Japan relations, trade negotiations and sensitive climate change strategy. The list indicates that NSA spying on Japanese conglomerates, government officials, ministries and senior advisers extends back at least as far as the first administration of Prime Minister Shinzo Abe, which lasted from September 2006 until September 2007. The telephone interception target list includes the switchboard for the Japanese Cabinet Office; the executive secretary to the Chief Cabinet Secretary Yoshihide Suga; a line described as "Government VIP Line"; numerous officials within the Japanese Central Bank, including Governor Haruhiko Kuroda; the home phone number of at least one Central Bank official; numerous numbers within the Japanese Finance Ministry; the Japanese Minister for Economy, Trade and Industry Yoichi Miyazawa; the Natural Gas Division of Mitsubishi; and the Petroleum Division of Mitsui.

Now, what Wikileaks is doing is mashing together the NSA spying on the Japanese government, our ally, with Japanese industry. That's silly, in my estimation. In fact, much of the hand-wringing that goes on about our spy networks spying on allies seems naive in the extreme, as if to suggest that our closest allies aren't conducting similar spy programs on our government. You can insist, if you like, that America should not be spying on her allies, but then I get to insist that you grow up, because that's exactly the kind of work you want the NSA doing.

But on the economic side, things get a little murkier. The NSA has insisted for years that the agency does not engage in economic espionage, actions which would put it out of the norm for how we treat our allies. It's also been clear for some time that the NSA is full of crap in this regard. This latest Wikileaks dump fleshes out just how much economic espionage we do against our allies, even very close allies like Japan.

The documents demonstrate intimate knowledge of internal Japanese deliberations on such issues as: agricultural imports and trade disputes; negotiating positions in the Doha Round of the World Trade Organization; Japanese technical development plans, climate change policy, nuclear and energy policy and carbon emissions schemes; correspondence with international bodies such as the International Energy Agency (IEA); strategy planning and draft talking points memoranda concerning the management of diplomatic relations with the United States and the European Union; and the content of a confidential Prime Ministerial briefing that took place at Shinzo Abe's official residence.

It's just more egg on the face of government and security officials who have claimed to have kept their hands clean of economic espionage. There's sure to be more of interest in the documents as they get parsed out, but if nothing else we can be reminded that the NSA is a spy agency and that its officials have been caught lying over and over again.

from the this-is-ridiculous dept

A few weeks ago, we reported that it appeared German investigators were investigating the excellent German news site Netzpolitik, which covers a lot of the same issues that we do at Techdirt, with a similar sensibility. Netzpolitik had just published stories concerning plans to expand German bulk surveillance efforts to internet users, as well as plans by the German Secret Service to expand its internet surveillance capabilities. As part of this, the site (like we do) published source documents concerning those plans. The site's editor-in-chief Markus Beckedahl, noted:

Naturally, we uploaded the original documents relating to our article because there was still enough disk space and because it is part of our philosophy to enable our readers to inform themselves using the original source. Thus, they can scrutinise us and our reporting.

This resulted in claims of an investigation for "treason," though some later clarified that it appeared that the investigation was into who leaked the info to Nezpolitik, and the site's staff were seen as witnesses, rather than potential defendants. Except... nope. It looks like the original fears were accurate.

If it were up to the Federal Attorney General and the President of the German Domestic Security Agency, two of our reporters would soon be in prison for at least two years. Today, we were officially informed about investigations against our Markus Beckedahl, Andre Meister and an "unknown" party. The accusation: Treason.

Today, we received a letter from the Federal Attorney General of Germany confirming ongoing investigations against our reporters Markus Beckedahl, Andre Meister and an "unknown" source, suspecting us of treason according to the German Penal Code:

Whosoever […] allows a state secret to come to the attention of an unauthorised person or to become known to the public in order to prejudice the Federal Republic of Germany or benefit a foreign power and thereby creates a danger of serious prejudice to the external security of the Federal Republic of Germany, shall be liable to imprisonment of not less than one year.

Until now, we were reported merely as witnesses in the case, but now we shall be held responsible (for treason) like our unknown source(s) – as joint principals.

As Netzpolitik itself notes, this is an incredible attack on the freedom of the press, and the site says it's geared up to fight. Either way, this should really call into question the priorities of the German government, looking to intimidate reporters, rather than hold an open debate about surveillance practices. Makes you wonder what else they're afraid is going to come out....

from the how-many-times-do-we-need-to-do-this dept

Years before Ed Snowden revealed how the NSA and DOJ had reinterpreted the PATRIOT Act and the FISA Amendments Act to allow the intelligence community to spy on Americans, Senator Ron Wyden tried to warn the public that this had happened:

We're getting to a gap between what the public thinks the law says and what the American government secretly thinks the law says.

For a couple of years after he said that, privacy and civil liberties advocates were forced into something of a guessing game to figure out what that secret law actually said. Eventually, the details were spilled by Ed Snowden who is, of course, now being threatened with a lifetime in prison for blowing the whistle.

This is not the only time that Wyden has made these kinds of warnings, and he's doing it again right now -- this time over CISA, the faux-"cybersecurity" bill that Wyden has made clear is really about surveillance. Recently released papers from the Snowden archives have made it clear why he's saying this, because it showed that, contrary to what's been said in the past, the NSA is using "cyber signatures" to sniff through upstream collections (their taps into the fiber backbone) under Section 702 of the FISA Amendments Act. And this opens up the information collected to so-called "back door" or "incidental" searches by the NSA. The whole point of CISA is to actually encourage companies to give the government more such "cyber signatures" which they can use to monitor the internet.

Wyden... claims that a classified Justice Department legal opinion written during the early years of the George W. Bush administration is pertinent to the upper chamber's consideration of cyberlegislation—a warning that reminds close observers of his allusions to the National Security Agency's surveillance powers years before they were exposed publicly by Edward Snowden.

[....]
"I remain very concerned that a secret Justice Department opinion that is of clear relevance to this debate continues to be withheld from the public," Wyden said in his written dissent against CISA, which cleared the Senate Intelligence Committee 14-1 in March. "This opinion, which interprets common commercial service agreements, is inconsistent with the public's understanding of the law, and I believe it will be difficult for Congress to have a fully informed debate on cybersecurity legislation if it does not understand how these agreements have been interpreted by the Executive Branch."

Last year, based on some breadcrumbs that Wyden dropped during the confirmation hearings for Caroline Krass as the CIA's new top lawyer, Marcey Wheeler dug into some more details about this document, and notes that it comes from the same period of time when the Bush administration was twisting itself into knots to justify warrantless wiretapping and torture. In other words, this document seems ridiculously relevant to the debate.

And while it appears that the vote on CISA has likely been delayed yet again, it seems like this is a fairly important detail.

In short, haven't we, as a country, learned enough to note that, when Senator Wyden points out that there's a secret interpretation of the law that is at odds with a plain reading of it, we should all be demanding answers?

Understandably, the administration was in no hurry to respond to this petition. In the immediate aftermath of the first leaks, no entity was more unpopular than the NSA. Snowden, on the other hand, probably could have won a number of local elections as a write-in candidate at that point. So, the administration sat on it, as it has sat on a great many petitions not particularly aligned with its desires.

Unfortunately, the public's opinion hasn't shifted much. As other agencies have become more plaintive in their requests to undermine privacy and safety to keep criminals from "going dark," the public has become less and less enthusiastic about being forced to make more sacrifices in the interest of security. The NSA also hasn't become more popular in the interim. So buying time by cherry-picking We The People petitions to respond to hasn't made answering this petition any easier for the administration.

More than two years later -- 763 days past the point it became a viable petition -- the administration has answered. And the answer could have been written two years ago, as it refuses to acknowledge Snowden's contribution to recent surveillance reforms. The response was written by Lisa Monaco, the president's advisor on Homeland Security and Counterterrorism. Considering the source, the response is unsurprising. But it starts off with a lie:

Since taking office, President Obama has worked with Congress to secure appropriate reforms that balance the protection of civil liberties with the ability of national security professionals to secure information vital to keep Americans safe.

Wrong. The "appropriate reforms" have been forced into existence by leaked documents Snowden provided. This "conversation" the President keeps claiming he always wanted to have only took place because he could no longer ignore it. This opening sentence is worse than merely disingenuous. It's a complete rewrite of Obama's civil liberties legacy. Before the Snowden leaks, Obama's stance on surveillance was "whatever Bush did, only more."

Next, Monaco goes on to say that no matter how instrumental Snowden was in the recent surveillance reforms (without ever actually saying that), he's still a just a criminal and should be treated as one.

Instead of constructively addressing these issues, Mr. Snowden's dangerous decision to steal and disclose classified information had severe consequences for the security of our country and the people who work day in and day out to protect it.

Except that this administration is no friend to whistleblowers. Snowden knew this. Snowden also knew the "proper channels" were mostly there to ensure whistleblowers were silenced and punished. So he ran. This administration has prosecuted more whistleblowers than all other administrations combined. When Snowden took off, it was five years into Obama's presidency, plenty of time to gauge what sort of odds the "proper channels" offered.

From that point, Monaco goes on to claim that the only legitimate act of civil disobedience is a punished act of civil disobedience.

If he felt his actions were consistent with civil disobedience, then he should do what those who have taken issue with their own government do: Challenge it, speak out, engage in a constructive act of protest, and -- importantly -- accept the consequences of his actions. He should come home to the United States, and be judged by a jury of his peers -- not hide behind the cover of an authoritarian regime. Right now, he's running away from the consequences of his actions.

First off, this is wrong. As has been explained countless times, under the Espionage Act, which is what Snowden would be charged under, he is not allowed to present the evidence in his defense that he was blowing the whistle on an illegal program (and yes, it has been ruled illegal). Nor is he allowed to argue that the leak was in the public interest. In other words, the law is stacked such that he cannot present his argument fairly. The deck is stacked and Monaco knows the deck is stacked and ignores that -- which is exceptionally dishonest.

I would imagine Monaco -- and by extension, the administration -- would also feel that those who hacked Hacking Team are the real criminals here, not the company that sold surveillance software and zero-day exploits to governments known for widespread abuse of their citizens. "Look, we appreciate them highlighting these dubious and likely illegal contracts. But to move forward, we really need to put the hackers who obtained the documents on trial."

But, honestly, no one expected this response to go any other way. No one who holds the top office in the nation is going to sell out the rest of the government for a whistleblower. So, it could have saved everyone the trouble and posted this answer June 26, 2013.

from the you-sort-of-won!-what-more-do-you-want? dept

Just as James Clapper's office was officially announcing the death of the bulk phone metadata program (ending November 29th, with three months of post-wind-down wind-down for data analysts), the DOJ was filing a motion in the Second Circuit Court of Appeals basically arguing that its finding that the program was illegal really doesn't matter anymore.

According to the DOJ, there really is no program -- at least if you don't count the six months the NSA has to make the move to the more targeted USA Freedom version. So this discussion about which program isn't authorized by which PATRIOT Act provision is… well, not completely moot, but like pretty much literally weeks away from moot, so why are we wasting our time here [EXASPERATED SIGH].

Plaintiffs’ claims will be moot when the bulk collection of telephony metadata under Section 215 ends on November 29, 2015, though they are not moot right now. On that date, the statutory authority for the Section 215 bulk telephony-metadata program will expire, and the data previously collected and held under that program will not be used in the future for intelligence-gathering or law-enforcement purposes. In the meantime, however, the Court should respect Congress’s decision to create an orderly transition away from the Section 215 bulk telephony-metadata program. Especially in light of Congress’s considered judgment that this program should continue for this limited period, plaintiffs are not entitled to any of the relief they request.

In support of its argument that the court should ignore its own findings and just listen to what the FISA Court said (and what legislators didn't say, but obviously intended), the government points to its own Tumblr post (certainly a historical moment in its own right) detailing the specifics of the end of Section 215.

On July 27, 2015, the Office of the Director of National Intelligence (ODNI) issued a public statement that the NSA has determined that “analytic access to that historical metadata collected under Section 215 . . . will cease on November 29, 2015,” at the end of the transition period. See Statement by ODNI on Retention of Data Collected Under Section 215 of the USA PATRIOT Act, available at http:// icontherecord.tumblr.com/post/125179645313/ statement-by-the-odni-on-retention-of-data (ODNI July 27 Statement). Thus, after that date, no further bulk collection of telephony metadata will take place under the Section 215 program, and the historical telephony metadata will not be used for intelligence or law-enforcement purposes and will not be disseminated.

To sum up: these past abuses should no longer be of concern as the data is going to be flushed (for the most part) within the next nine months. To better enable said data flush, the Second Circuit Court might want to wrap up the ACLU's suit (and hasten the end of the EFF's) so that no data is still being "preserved" past the November 2015 dump point.

To that end, the DOJ constantly reminds the Second Circuit that the FISA Court really has a handle on these sort of things and why don't we just leave it to the pros.

The FISC was right that Congress authorized the Section 215 bulk telephony-metadata program to continue during the six-month transition period. [p. 6]

As the FISC correctly noted, Congress’s decision to delay that ban for six months is a powerful indication that it intended to permit bulk collection in the interim period. [p. 9]

The FISC was thus correct when it observed that “after lengthy public debate, and with crystal clear knowledge of the fact of ongoing bulk collection of call detail records” Congress “chose to allow a 180-day transitional period . . . .” June 29 FISC Op. at 11. This Court need not and should not determine whether Congress “ ‘ratif[ied] the FISA Court’s interpretation of ’ ” Section 215. [p. 11]

This filing, like its Tumblr statement announcing the official end of the collection, emphasizes the single aspect of the Section 215 bulk collections that has been the focus of this litigation and most legislative efforts: phone metadata. The authorization, even in its altered, post-USA Freedom Act form -- provides for much more than just this one type of collection. The DOJ goes so far as to call the USA Freedom Act a "ban" on bulk, untargeted collections, when it actually doesn't go quite that far.

I believe both ACLU and EFF’s phone dragnet client Counsel on American Islamic Relations, had not only standing as clients of dragnetted companies, but probably got swept up in the two-degree dragnet. But CAIR probably has an even stronger case, because it is public that FISC approved a traditional FISA order against CAIR founder Nihad Awad. Any traditional FISA target has always been approved as a RAS seed to check the dragnet, and NSA almost certainly used that more back when Awad was tapped, which continued until 2008. In other words, CAIR has very good reason to suspect the entire organization has been swept up in the dragnet and subjected to all of NSA’s other analytical toys.

EFF, remember, is the one NGO that has a preservation order, which got extended from its earlier NSA lawsuits (like Jewel) to the current dragnet suit. So when I Con the Record says it can’t destroy all the data yet, it’s talking EFF, and by extension, CAIR. So this announcement — in addition to preparing whatever they’ll file to get the Second Circuit off its back — is likely an effort to moot that lawsuit, which in my opinion poses by far the biggest threat of real fireworks about the dragnet (not least because it would easily be shown to violate a prior SCOTUS decision prohibiting the mapping of organizations).

This announcement by Clapper's office, followed shortly thereafter on the same day by the filing of its response in the Second Circuit case, certainly gives the appearance that the NSA has lifted the corner of the rug and is just waiting for the signal to start sweeping any undiscovered abuses -- along with those previously exposed -- under it. That the expiration of the authority and the passage of the USA Freedom Act may have provided it with a better broom is unexpectedly fortuitous.

from the will-still-need-six-to-nine-months-of-additional-hammering-though dept

NSA has determined that analytic access to that historical metadata collected under Section 215 (any data collected before November 29, 2015) will cease on November 29, 2015. However, solely for data integrity purposes to verify the records produced under the new targeted production authorized by the USA FREEDOM Act, NSA will allow technical personnel to continue to have access to the historical metadata for an additional three months.

Caveats apply. Data will still be held as required by a handful of ongoing lawsuits. With the "bulk" part of the bulk records program shut down (but not completely), the government is obviously hoping for a speedy end to the litigation resulting from the Snowden leaks. That's the other motivating factor behind this public statement that not only states an end date, but the additional restrictions past that point.

This is a pretty remarkable moment in the security v. privacy battle, but there are still reasons to be concerned. The bulk telephony metadata program has received a majority of the focus since Snowden's initial leak and the NSA, at times, has seemed almost too willing to let this program act as a scapegoat for its multiple privacy-violating surveillance programs.

Not that there haven't been seriously heated (and seriously misguided) arguments offered in support of this program, but if you take a close look at the history of the debate over Section 215, the most-spirited defenses have not been raised by the NSA, but by legislators and former intelligence officials. The program appears to have been sacrificed in order to prevent more intrusive surveillance programs from being subjected to more intense scrutiny.

And it's not even the totality of what can be collected under Section 215. The statement from the ODNI specifically addresses only one kind of "tangible thing."

The telephony metadata preserved solely because of preservation obligations in pending civil litigation will not be used or accessed for any other purpose, and, as soon as possible, NSA will destroy the Section 215 bulk telephony metadata upon expiration of its litigation preservation obligations.

We don't know what else is being collected in bulk under the PATRIOT Act provision -- the same authority that expired this year and was replaced with the stipulations of the USA Freedom Act -- but we know it's more than just "telephony metadata." "Tangible things" encompasses far more than phone metadata ("books, records, papers, documents, and other items"), but this statement -- as well as arguments it's made in court in support of the six-month wind-down period -- only address phone records.

The Second Circuit Court found that the bulk collection of records under Section 215 was likely illegal. That opinion called into question anything collected under this authority, but the government here (and in its recent filing in the Second Circuit Court) acts as though the "illegal" collection activity is limited solely to phone records.

Other NSA programs are going to be far more useful in gathering data and intelligence than the collection of phone records. Phone calls may never go away entirely, but the shift to mobile communications (followed shortly thereafter by the shift to feature phones and smartphones) has made phone calls the least used feature on these devices. Messaging programs and social media platforms now carry the bulk of everyday communications. And the NSA has programs in place to sweep up these as well, whether as content or metadata. So, all of this focus on "telephony" only serves to obscure what else it may still collect with the revamped program, as well as everything else it does under much more secretive legal authorities.

from the this-is-why-strong-crypto-is-your-friend dept

At the start of the year, we wrote about an important point made by Bruce Schneier and Edward Snowden concerning information asymmetry in the world of spying -- the fact that the US and the West in general have far more to lose by undermining security in an attempt to gain as much information as possible about other countries, than they have to gain. A fascinating analysis from Bloomberg indicates that this also applies to the "collect it all" mentality. The article raises the troubling possibility that both the huge OPM data breaches were not only the work of Chinese state actors, but part of a much larger plan:

Some investigators suspect the attacks were part of a sweeping campaign to create a database on Americans that could be used to obtain commercial and government secrets.

"China is building the Facebook of human intelligence capabilities," said Adam Meyers, vice president of intelligence for cybersecurity company CrowdStrike Inc. "This appears to be a real maturity in the way they are using cyber to enable broader intelligence goals."

The Bloomberg article suggests that China started gathering first travel records, then health records, Social Security numbers and other personal information on Americans in an attempt to build an increasingly complete picture about huge swathes of the US population. Whether or not that new "collect it all" approach was directly inspired by the NSA's espousal of the idea is a detail: it was certainly brought to prominence by General Alexander's statements, and is now part of the common currency of surveillance.

It is made possible by lax security, even for huge datasets, as the OPM fiasco shows. That means it is entirely plausible for the Chinese secret services -- and for those of other nations -- to try to collect information about every US or EU citizen, as people's lives move online, and their most personal data is stored in Internet-accessible databases.

Standing in the way of achieving that is the strength of the security protecting that information -- something that governments around the world are now threatening to undermine in the name of their own offensive surveillance capabilities. How many hundreds of millions of personal records must be lost before the authorities wake up to the fact that if they compromise encryption, the only thing they are certain to achieve is to make the task of "collecting it all" easier for China and other nations?

from the png,-here-we-come dept

You may recall the mess a few years ago when, under pressure from the movie studios, along with Netflix and Microsoft, the W3C agreed to add DRM to HTML5. This resulted in lots of debates and reasonable anger from people who found that the idea of building DRM into HTML5 went against the idea of an open internet. And, now it appears that the organization behind the JPEG standard for images is heading down a similar path.

Further details suggest DRM that has all sorts of conditions included:

What's interesting is that some are claiming this is based on this research paper that pitches such DRM for the purpose of protecting images from surveillance and such:

— With the popularization of online social networks
(OSNs) and smart mobile devices, photo sharing is becoming
a part of people’ daily life. An unprecedented number of
photos are being uploaded and shared everyday through online
social networks or photo hosting services, such as Facebook,
Twitter, Instagram, and Flickr. However, such unrestrained
online photo or multimedia sharing has raised serious privacy
concerns, especially after reports of citizens surveillance by
governmental agencies and scandalous leakage of private photos
from prominent photo sharing sites or online cloud services.
Popular OSNs typically offer privacy protection solutions only
in response to the public demand and therefore are often
rudimental, complex to use, and provide limited degree of
control and protection. Most solutions allow users to control
either who can access the shared photos or for how long
they can be accessed. In contrast, in this paper, we take a
structured privacy by design approach to the problem of online
photo privacy protection. We propose a privacy-preserving
photo sharing architecture based on a secure JPEG scrambling
algorithm capable of protecting the privacy of multiple users
involved in a photo. We demonstrate the proposed photo sharing
architecture with a prototype application called ProShare that
offers JPEG scrambling as the privacy protection tool for
selected regions in a photo, secure access to the protected
images, and secure photo sharing on Facebook.

Now that's definitely interesting, but it still raises some concerns about whether such DRM would actually be used to protect an individual's privacy or (much more likely) to try to limit public use of images for other reasons, such as trying to set up tollbooths on use (even fair use). I also wonder how effective any image-based DRM can really be in the longterm, given the ease of simply screenshotting an image to make a copy.

from the wishful-thinking dept

Benjamin Wittes, one of the NSA apologists ensconced at Lawfare, has written a long piece in defense of FBI head James Comey's assertions that there must be some way tech companies can give him what he wants without compromising the privacy and security of every non-terrorist/criminal utilizing the same broken encryption.

The theory is that companies have every incentive for market reasons to protect consumer privacy, but no incentives at all to figure out how to provide law enforcement access in the context of doing so.

There's some truth to this theory. Tech companies are particularly wary of appearing to be complicit in government surveillance programs as a couple of years of leaks have done considerable damage to their prospects in foreign markets.

Wittes suggests the government isn't doing much to sell this broken encryption plan, despite Comey's multiple statements on the dangers posed by encrypted communications. And he's right. If the government truly wants a "fix," it needs to start laying the groundwork. It can't just be various intel/law enforcement heads stating "we're not really tech guys" and suggesting tech companies put the time and effort into solving their problems for them.

If we begin—as the computer scientists do—with a posture of great skepticism as to the plausibility of any scheme and we place the burden of persuasion on Comey, law enforcement, and the intelligence community to demonstrate the viability of any system, the obvious course is government-sponsored research. What we need here is not a Clipper Chip-type initiative, in which the government would develop and produce a complete system, but a set of intellectual and technical answers to the challenges the technologists have posed. The goal here should be an elaborated concept paper laying out how a secure extraordinary access system would work in sufficient detail that it can be evaluated, critiqued, and vetted; think of the bitcoin paper here as a model. Only after a period of public vetting, discussion, and refinement would the process turn to the question of what sorts of companies we might ask to implement such a system and by what legal means we might ask.

Thus ends the intelligent suggestions in Wittes' thinkpiece. Everything else is exactly the sort of thing Comey keeps hinting at, but seems unwilling to actually put in motion. It's the government-power elephant in the room. Actually, several elephants. It's the underlying, unvocalized threat that lies just below the surface of Comey's government-slanted PR efforts. Wittes just goes through the trouble of vocalizing them.

First, he gives Comey's chickenshit, ignorant sales pitch a completely disingenuous, self-serving reading. Comey has refused to acknowledge the fact that what he's seeking is not actually possible. He claims he doesn't have the tech background to make more informed assertions while simultaneously insisting the solution exists -- and could easily be found if only these tech companies were willing to apply themselves.

[Comey] is talking in very different language: the language of performance requirements. He wants to leave the development task to Silicon Valley to figure out how to implement government's requirements. He wants to describe what he needs—decrypted signal when he has a warrant—and leave the companies to figure out how to deliver it while still providing secure communications in other circumstances to their customers.

The advantage to this approach is that it potentially lets a thousand flowers bloom. Each company might do it differently. They would compete to provide the most security consistent with the performance standard. They could learn from each other. And government would not be in the position of developing and promoting specific algorithms. It wouldn't even need to know how the task was being done.

In Wittes' estimation, Comey is being wise and promoting open innovation, rather than just refusing to openly acknowledge that his desire to access and intercept communications far exceeds his desire to allow millions of non-criminals access to safer connections and communications.

Wittes goes on to offer a handful of "solutions" to the Second Crypto War. Not a single one includes the government growing up and learning to deal with the new, encrypted status quo. He follows up the one useful suggestion -- government research exploring the feasibility of the proposed encryption bypass -- with one of his worst ideas:

If you simply require the latter [law enforcement access] as a matter of law, [tech companies] will devote resources to the question of how to do so while still providing consumer security. And while the problems are hard, they will prove manageable once the tech giants decide to work them hard—rather than protesting their impossibility.

There's not a worse idea out there than making certain forms of encryption illegal to use in the United States. But Wittes tries his hardest to find equally awful ideas. Like this one, which would open tech companies to an entire new area of liability.

Another, perhaps softer, possibility is to rely on the possibility of civil liability to incentivize companies to focus on these issues. At the Senate Judiciary Committee hearing this past week, the always interesting Senator Sheldon Whitehouse posed a question to Deputy Attorney General Sally Yates about which I've been thinking as well: "A girl goes missing. A neighbor reports that they saw her being taken into a van out in front of the house. The police are called. They come to the home. The parents are frantic. The girl's phone is still at home." The phone, however, is encrypted.

Wittes quotes Whitehouse's statements, in which he compares encryption to industrial pollution and suggests tech companies -- not the criminal in question; not the investigators who are seemingly unable to explore other options -- be held liable for the criminal's actions. Wittes poses a rhetorical question -- one that assumes most of America wants what Comey wants.

Might a victim of an ISIS attack domestically committed by someone who communicated and plotted using communications architecture specifically designed to be immune, and specifically marketed as immune, from law enforcement surveillance have a claim against the provider who offered that service even after the director of the FBI began specifically warning that ISIS was using such infrastructure to plan attacks? To the extent such companies have no liability in such circumstances, is that the distribution of risk that we as a society want?

Holding companies responsible for the actions of criminals is completely stupid. Providing encryption to all shouldn't put companies at risk of civil suits. The encryption isn't being provided solely for use by bad guys. It makes no more sense than holding FedEx responsible for shipments of counterfeit drugs. And yet, we've seen our government do exactly that, in essence requiring every affected private company to act as deputized law enforcement entities, despite there being no logical reason to put them in this position. Wittes feels the best solutions involve the government forcing companies to bend to its will, and provide compromised encryption under duress.

The final solution proposed by Wittes is to let everything go to hell and assume the political landscape -- along with tech companies' "sympathies" -- will shift accordingly. This would be the "let's hope for the tragic death of a child" plan:

[W]e have an end-to-end encryption issue, in significant part, because companies are trying to assure customers worldwide that they have their backs privacy-wise and are not simply tools of NSA. I think those politics are likely to change. If Comey is right and we start seeing law enforcement and intelligence agencies blind in investigating and preventing horrible crimes and significant threats, the pressure on the companies is going to shift. And it may shift fast and hard. Whereas the companies now feel intense pressure to assure customers that their data is safe from NSA, the kidnapped kid with the encrypted iPhone is going to generate a very different sort of political response. In extraordinary circumstances, extraordinary access may well seem reasonable.

If this does happen, Wittes' assumption will likely be correct. Politicians have never been shy about capitalizing on tragedies to nudge the government power needle. This will be no different. One wonders why no one has come forward with a significantly compelling tragedy by this point, considering the wealth of encryption options currently on the market. A logical person would assume this lack of compelling anecdotal evidence would suggest encryption really hasn't posed a problem yet -- especially considering the highly-motivated sales pitches that have been offered nonstop since Google and Apple's announcement of their encryption-by-default plans. The "problem" Comey and others so desperately wish to "solve" remains almost entirely theoretical at this point.

But the FBI and others aren't going to wait until the next tragedy. They want the path of least resistance now. The solutions proposed by Wittes are exactly the sort of thing they'd be interested in: expanded government power and increased private sector liability. This is why Comey has no solution to offer. There is none. There is only the option of making companies do what he wants, but he's too wary of public backlash to actually say these things out loud. Wittes has saved him the trouble and proven himself no more trustworthy than those who want easy access, no matter the negative implications or unintended consequences of these actions.